[Openid-specs-ab] Spec call notes 13-Jun-11

Mon Jun 13 22:53:26 UTC 2011

some feedback and clarification

On Mon, Jun 13, 2011 at 15:45, Mike Jones <Michael.Jones at microsoft.com> wrote:
> Spec call notes 13-Jun-11
>
>
>
> Nat Sakimura
>
> John Bradley
>
> Edmund Jay
>
> Mike Jones
>
>
>
> Edmund met with Breno
>
> Breno and Facebook want to use new OAuth response types - comma separated
>
>                 code,token,session
>
>     Session is what we used to call the ID Token
>
>     Facebook also proposed a response type "none"
>
>
>
>     John believes that current OAuth draft only allows you to ask for one
> token type
>
>                 Breno thinks it's being changed
>
>                 We need to monitor this in the draft
>
>
>
> Breno and Edmund discussed how to restructure the session management to make
> it more readable
>
>                 Edmund is working on that
>

I also asked Edmund to redo the draft to make it more clearly
articulated around the response types, as in the core OAuth2 spec, and
split the session management part into one for web apps and another
for mobile app authentication to 4th parties.

>
>
> They talked about additional request parameters related to the user
> experience.  Breno proposed
>
>                 display={none,mobile,popup}
>
>
>
> They discussed a parameter expressing the approval required
>
> This would be a space-separated list of the following choices:
>
>                 prompt=login consent selectaccount
>
>
>
> They discussed a nonce parameter
>
>                 John wasn't sure what they were trying to accomplish with
> this

I think FB use case is to create a version of PAPE that doesn't
require synchronized clocks. One can send a nonce and prompt=login and
check the nonce to validate user was prompted. I found that
interesting for discussion here.

>
>                 Edmund said that it would be passed back as part of the
> session token
>
>                 Apparently Facebook is interested in this
>
>                 Edmund will follow up with Breno on this and get a
> description of it
>
>
>
> They discussed the token introspection endpoint
>
>                 It can either be called with an access token or session
> token
>
>
>
> Edmund expects to get these things written up this week
>
>
>
> John has been working on writing up how to get back multiple endpoints for
> the OpenID provider
>
>                 He will try to circulate something tomorrow
>
>
>
> Mike committed to update the UserInfo endpoint schema - will try to
> circulate something tomorrow or Wednesday
>
>
>
> Scott Cantor and John had discussed that a problem with SAML has been not
> nailing down the EntityID format for the issuer
>
>                 We should try to avoid this
>
>                 Is it a URL for one of our endpoints, or something more
> abstract?
>
>                 We probably need to be specific about what the identifier
> for the IdP is
>
>                 The initial endpoint where you do discovery for the
> identifiers is likely a good choice
>
>                 John will take a stab at this as part of his write-up
>
>
>
> John, Nat, and Mike are planning to go to the OpenID summit in Colorado
>
> They are also plan to go to IETF meeting in Quebec City that is soon after
> it
>
>
>
> Don is meeting with Alan Tom and Eric this week about the Connect launch
> plan
>
>                 John plans to try to call in for that
>
>
>
> We plan to have specs complete enough for early implementers by the end of
> this month
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>

-- 
--Breno